You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2015/09/01 16:35:50 UTC
[Bug 58314] New: Defaultly Execute "phtml" As "php" Package
"apache2-mpm-prefork package"
https://bz.apache.org/bugzilla/show_bug.cgi?id=58314
Bug ID: 58314
Summary: Defaultly Execute "phtml" As "php" Package
"apache2-mpm-prefork package"
Product: Apache httpd-2
Version: 2.2.22
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: All
Assignee: bugs@httpd.apache.org
Reporter: narendra.infosec@gmail.com
Created attachment 33057
--> https://bz.apache.org/bugzilla/attachment.cgi?id=33057&action=edit
POC For Apache 2.2.22 Executing "phtml" as "php"
Hello Apache Security Team.
Just observed an issue when one of my Arbitrary File Upload Vulnerability got
fixed.
Here i am explaining you a scenario.
Many developers Prevent File Upload Vulnerability By Blocking "['php', 'php3',
'php4', 'inc']" So most of developers do the same for their application to
prevent this.
But the better solution is to include this extensions also "php5,pht,phtml"
Observation: now i had observe that most of Linux Debian Which Have
"apache2-mpm-prefork package" Package for their Apache Service are default set
to executing "phtml" as "php" which look dangerous because most of Developer
only use "php,php3,php4,inc".
So if any developer miss the "phtml" to add in black list file upload and if
the Linux Debian Which Have "apache2-mpm-prefork package" Package is set to
Execute "phtml" as "php" by default then the whole server can be compromise by
the attacker.
For POC i had attached Latest Kali Linux 2.0 which allow user to execute
"phtml" as "php" by default.
I have tested this Latest Kali Linux 2.0 Version Which is running on Apache
2.2.22
Waiting for your reply.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 58314] Defaultly Execute "phtml" As "php" Package
"apache2-mpm-prefork package"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58314
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution|--- |FIXED
--- Comment #5 from Eric Covener <co...@gmail.com> ---
Stop reopening the invalid bug report. The link you shared has a clear "bug
reports" link
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 58314] Defaultly Execute "phtml" As "php" Package
"apache2-mpm-prefork package"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58314
Narendra Bhati <na...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |---
--- Comment #4 from Narendra Bhati <na...@gmail.com> ---
Ok , Just looking for some help
I guess the reason behind this is -
https://packages.debian.org/jessie/libapache2-mod-php5
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler application/x-httpd-php
</FilesMatch>
====================
Can you please help me out where i should report about this.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 58314] Defaultly Execute "phtml" As "php" Package
"apache2-mpm-prefork package"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58314
Narendra Bhati <na...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |---
--- Comment #2 from Narendra Bhati <na...@gmail.com> ---
(In reply to Eric Covener from comment #1)
> In the future, this is not the proper way to engage the security team.
> Contact security@apache.org privately.
>
> However, if you have an issue with the default configuration of a
> third-party distribution of httpd, you'll have to address it with the
> respective project.
My mistake , i was not aware about this.
I guess you didnt got my point, The issue which i had reported is itself apache
module see here - http://httpd.apache.org/docs/2.2/mod/prefork.html
I am talking about this.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 58314] Defaultly Execute "phtml" As "php" Package
"apache2-mpm-prefork package"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58314
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #1 from Eric Covener <co...@gmail.com> ---
In the future, this is not the proper way to engage the security team. Contact
security@apache.org privately.
However, if you have an issue with the default configuration of a third-party
distribution of httpd, you'll have to address it with the respective project.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 58314] Defaultly Execute "phtml" As "php" Package
"apache2-mpm-prefork package"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58314
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|REOPENED |RESOLVED
--- Comment #3 from Eric Covener <co...@gmail.com> ---
(In reply to Narendra Bhati from comment #2)
> (In reply to Eric Covener from comment #1)
> > In the future, this is not the proper way to engage the security team.
> > Contact security@apache.org privately.
> >
> > However, if you have an issue with the default configuration of a
> > third-party distribution of httpd, you'll have to address it with the
> > respective project.
>
> My mistake , i was not aware about this.
>
> I guess you didnt got my point, The issue which i had reported is itself
> apache module see here - http://httpd.apache.org/docs/2.2/mod/prefork.html
>
> I am talking about this.
The prefork MPM doesn't execute PHP code. Maybe your confusing it with an
artifact of how it's packaged by your distribution w/ some snippet of
configuration.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 58314] Defaultly Execute "phtml" As "php" Package
"apache2-mpm-prefork package"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58314
Narendra Bhati <na...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |narendra.infosec@gmail.com
OS| |All
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org